CN115515878A - Method for operating a people conveyor by reliably configuring an electronic safety device - Google Patents

Method for operating a people conveyor by reliably configuring an electronic safety device Download PDF

Info

Publication number
CN115515878A
CN115515878A CN202180033650.4A CN202180033650A CN115515878A CN 115515878 A CN115515878 A CN 115515878A CN 202180033650 A CN202180033650 A CN 202180033650A CN 115515878 A CN115515878 A CN 115515878A
Authority
CN
China
Prior art keywords
controller
configuration parameters
configuration
configuration parameter
safety device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202180033650.4A
Other languages
Chinese (zh)
Inventor
大卫·米歇尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inventio AG
Original Assignee
Inventio AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inventio AG filed Critical Inventio AG
Publication of CN115515878A publication Critical patent/CN115515878A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B1/00Control systems of elevators in general
    • B66B1/34Details, e.g. call counting devices, data transmission from car to control system, devices giving information to the control system
    • B66B1/3407Setting or modification of parameters of the control system
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B1/00Control systems of elevators in general
    • B66B1/02Control systems without regulation, i.e. without retroactive action
    • B66B1/06Control systems without regulation, i.e. without retroactive action electric
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B1/00Control systems of elevators in general
    • B66B1/24Control systems with regulation, i.e. with retroactive action, for influencing travelling speed, acceleration, or deceleration
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B1/00Control systems of elevators in general
    • B66B1/34Details, e.g. call counting devices, data transmission from car to control system, devices giving information to the control system
    • B66B1/3415Control system configuration and the data transmission or communication within the control system
    • B66B1/3446Data transmission or communication within the control system
    • B66B1/3461Data transmission or communication within the control system between the elevator control system and remote or mobile stations
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B5/00Applications of checking, fault-correcting, or safety devices in elevators
    • B66B5/0006Monitoring devices or performance analysers
    • B66B5/0018Devices monitoring the operating condition of the elevator system
    • B66B5/0031Devices monitoring the operating condition of the elevator system for safety reasons
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B1/00Control systems of elevators in general
    • B66B1/34Details, e.g. call counting devices, data transmission from car to control system, devices giving information to the control system
    • B66B1/36Means for stopping the cars, cages, or skips at predetermined levels
    • B66B1/40Means for stopping the cars, cages, or skips at predetermined levels and for correct levelling at landings
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B1/00Control systems of elevators in general
    • B66B1/34Details, e.g. call counting devices, data transmission from car to control system, devices giving information to the control system
    • B66B1/46Adaptations of switches or switchgear
    • B66B1/468Call registering systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B5/00Applications of checking, fault-correcting, or safety devices in elevators
    • B66B5/0006Monitoring devices or performance analysers
    • B66B5/0018Devices monitoring the operating condition of the elevator system
    • B66B5/0025Devices monitoring the operating condition of the elevator system for maintenance or repair

Abstract

The invention relates to a method for operating a people conveyor (1) and to a people conveyor suitable for carrying out the method. The people mover has a controller (11) for controlling functions of the people mover and a safety device (17) for monitoring safety-critical functions of the people mover. The safety device can monitor safety-critical functions according to certain specifications by storing nominal configuration parameters (47) in a configured state. The method comprises the following steps: receiving, by a controller, a first configuration parameter (41) and a second configuration parameter (43) created independently of the first configuration parameter; transmitting the first and second configuration parameters to the security device, wherein the first configuration parameter (41) and the second configuration parameter (43) are associated with the same nominal configuration parameter (47); the first configuration parameter and the second configuration parameter are compared in the safety device, and if the first configuration parameter and the second configuration parameter correspond within a predefined tolerance, the corresponding setpoint configuration parameter (47) is stored in the safety device, and a setpoint configuration parameter and/or a configuration signal (49) is transmitted from the safety device to the controller. The controller controls the function of the people mover depending on whether nominal configuration parameters (47) and/or configuration signals (49) are received from the people mover.

Description

Method for operating a people conveyor by reliably configuring an electronic safety device
Technical Field
The invention relates to a method for operating a people conveyor and to a people conveyor configured for carrying out the method, to a computer program product and to a computer-readable medium.
Background
People moving equipment, such as elevators, escalators or moving walkways, are used as devices fixedly installed in buildings for transporting people and/or objects.
Various aspects and embodiments of the invention are described below primarily with reference to a people mover configured as an elevator installation. However, the described aspects and embodiments may also be used for other types of people moving equipment.
Personnel transport installations must generally meet high safety requirements. For this purpose, a plurality of safety devices are typically provided in the people mover, by means of which safety critical functions of the people mover can be monitored, i.e. actively controlled or at least passively monitored. Such safety-critical functions may include, for example, a measurement process, by means of which the current state or the current conditions in the people conveyor can be determined, so that the information obtained in this case can be taken into account when operating the people conveyor.
For example, it can be determined by means of a safety device in the form of a door sensor or door switch in the elevator installation whether the elevator doors are closed correctly, so that the elevator controller can decide on the basis of information transmitted from a plurality of such safety devices to different elevator doors of the elevator installation whether the elevator car is allowed to travel or whether the elevator is temporarily not allowed to travel due to the fact that at least one elevator door is not closed correctly.
Other safety devices may be arranged to provide information about where in the elevator shaft the elevator car is currently located and/or the speed at which the elevator car is currently moving through the elevator shaft. For this purpose, for example, the sensor can be moved together with the elevator car through the elevator shaft and read local information provided statically in the elevator shaft, from which local information the current position of the elevator car and the current speed of the elevator car can then be inferred. Based on this information, the elevator controller can cause the elevator car to travel to a desired position with high accuracy. Such a safety device can also monitor that the configurable maximum speed of the elevator car is not exceeded and trigger a corresponding safety measure upon detection of an exceedance.
Another type of safety device can be used to identify whether the elevator car is located above and below a parking position on the floor within a tolerance range. Based on this information the elevator controller can e.g. decide that the elevator doors are allowed to open already before the elevator car actually reaches the target parking position, i.e. during the time when the elevator car is still moving within the tolerance range (so-called pre-opening) furthermore the elevator controller can proceed in reverse of the rules otherwise applicable, i.e. that the elevator car is not allowed to move as long as the elevator doors are not fully closed, except that a slow movement of the elevator car is allowed as long as the elevator car is within the tolerance range around the parking position, in order thereby to be able to achieve e.g. horizontal balancing (so-called re-leveling) when passengers are getting in and out of the elevator car and thereby the load and finally the position of the elevator car changes.
In modern people mover, the safety device can be adapted to the situation-specific and/or device-specific main operating conditions and/or the characteristics of the people mover. Such a security device may therefore be referred to as a configurable security device. For this purpose, the safety device can be configured by entering configuration parameters into a state in which it monitors the function to be monitored by it in accordance with certain specifications. This state is referred to hereinafter as the configured state. Before the safety device is not put into the configured state, it is not permitted to operate in the people conveyor by entering its required configuration parameters case-specifically or device-specifically, so that usually the entire people conveyor is not yet ready for operation.
In modern people transportation installations, safety devices are increasingly implemented by means of electronic and/or programmable circuits. This aspect makes it possible for the security device to be adapted to different usage conditions and/or environmental conditions in that the security device can be individually adapted to monitor the function to be monitored by it in a predefined manner, for example by storing device-specific and/or situation-specific configuration parameters. The safety device can be operated particularly reliably, cost-effectively and/or easily maintained. On the other hand, a challenge may be to ensure that the configuration parameters used to program the security device are correct.
A method for configuring safety-critical configuration parameters in a people mover is described in WO2019/011828 A1. In patent application EP19179416 filed by the applicant of the present application at an earlier point in time, a method for operating a people conveyor with an electronically sealable (versiegeln) safety device is described.
Disclosure of Invention
There will mainly be a need for an alternative method in order to be able to configure the safety devices in a personnel transportation installation in as simple but reliable a manner as possible. Furthermore, there may be a need for a personnel carrier device designed for performing such a method. Finally, there may be a need for a computer program product designed to perform the proposed solution and a computer readable medium storing the computer program product.
This need may be met by the solution according to one of the independent claims. Advantageous embodiments are defined in the dependent claims and in the following description.
According to a first aspect of the invention, a method for operating a people conveyor is proposed. The people conveyor has a controller for controlling the functions of the people conveyor and at least one safety device for monitoring safety-critical functions of the people conveyor. The safety device can configure the monitoring of safety-critical functions according to certain specifications by storing nominal configuration parameters in a configured state. The method has at least the following steps, preferably in the order given:
receiving, by a controller, a first configuration parameter and a second configuration parameter created independently of the first configuration parameter, wherein the first configuration parameter and the second configuration parameter are associated with a same nominal configuration parameter;
transmitting the first configuration parameter and the second configuration parameter to the security device; and
the first configuration parameter and the second configuration parameter are compared in the safety device, and in the event that the first and second configuration parameters agree within a predefined tolerance, the nominal configuration parameter corresponding to the first and second configuration parameters is stored in the safety device, and the nominal configuration parameter and/or the configuration signal is transmitted from the safety device to the controller.
The controller controls the function of the people mover depending on whether nominal configuration parameters and/or configuration signals are received from the people mover.
In this case, the first configuration parameters and the second configuration parameters can also be transmitted to the one or more security devices and the nominal configuration parameters can be derived therefrom, which are stored in the one or more security devices.
According to a second aspect of the invention, a people mover is provided, which has a control for controlling the functions of the people mover and at least one safety device for monitoring safety-critical functions of the people mover. The security device may be configured to monitor the security-critical functions according to the determined specifications by storing the configuration parameters into the configured state. The controller and the safety device are configured to perform or control a method according to an embodiment of the first aspect of the invention.
According to a third aspect of the invention, a computer program product is presented which, when executed in a processor-controlled controller for controlling functions of a people mover and a processor-controlled safety device for monitoring safety-critical functions of a people mover, directs the people mover to perform or control a method according to an embodiment of the first aspect of the invention.
According to a fourth aspect of the present invention, a computer-readable medium is presented on which a computer program product according to an embodiment of the third aspect of the present invention is stored.
The feasible features and advantages of embodiments of the invention may be primarily, but not exclusively, considered based on the idea and insight described below.
As already briefly mentioned at the outset, modern people conveyor systems usually have a plurality of safety devices in order to be able to monitor safety-critical functions and thus to ensure safe operation of the people conveyor system. The safety device can be configured individually in order to be able to take into account the characteristics of the individual people conveyor and/or the operating conditions prevailing there. At least one of the individual configurations of the safety device described above is configured here when the safety device to be configured has been built up in the final position in the people conveyor.
Before the people mover is put into operation, its safety device must be correctly configured. To this end, suitable configuration parameters are conventionally created individually for each security device and communicated to the respective security device. The corresponding configuration parameters can be entered, for example, by a technician on a human-machine interface. The human-machine interface can for example correspond to or be integrated in the elevator control. Alternatively, the configuration parameters can be called, for example, by the elevator control or a device connected to the elevator control, for example, from an electronic data source. The configuration parameters are then sent by the elevator controller to the individual safety devices. The security device stores the received configuration parameters and can then operate configured accordingly. In order to be able to monitor whether the safety device receives and stores the correct configuration parameters, it can be provided that the configuration parameters are transmitted from the safety device back to the elevator control or to a human-machine interface connected thereto. There, the returned configuration parameters can then be monitored by a technician or compared to nominal values.
However, it has been found that errors may occur in the configuration process described above. For example, in the case of data transmission from the human machine interface to the elevator control unit and/or from the elevator control unit to the safety device, it can result in the data to be transmitted being modified unintentionally or as a result of systematic errors, so that in fact the data arriving at the safety device are erroneous.
In the worst case, during the data transmission to the safety device and the subsequent data transmission back to the elevator control or human machine interface, systematic errors can occur in such a way that, during the data transmission to the elevator control or human machine interface, the modifications of the data that are carried out during the data transmission are subsequently compensated and therefore cannot be detected, for example, by a monitoring technician.
Furthermore, it has been found that it is often necessary to a great deal of effort in configuring the security devices in order to input configuration data on the one hand and to check the information returned by the individual security devices about the stored configuration data on the other hand, in particular with regard to consistency.
In order to be able to eliminate the described disadvantages of the conventional configuration process in particular, a solution is briefly summarized for the method proposed here, in which, on the one hand, two configuration parameters created independently of one another are received in the controller and transmitted to the safety device, and, on the other hand, these two configuration parameters are compared directly with one another in the safety device and only if the two configuration parameters are sufficiently identical are the nominal configuration parameters corresponding to these two configuration parameters stored in the safety device. Subsequently, the nominal configuration parameters and/or configuration signals are transmitted from the safety device back into the controller to signal to the controller that the safety device has been correctly configured and/or to enable final monitoring of the nominal configuration parameters, for example by a technician or by comparison with nominal values.
In this case, the first and second configuration parameters both relate to the same setpoint parameter for which a predefined value is to be stored in the safety device. The nominal parameter can, for example, indicate the stopping position of a floor or the size of the above-mentioned tolerance range around the maximum speed of the above-mentioned elevator car. In other words, the first and second configuration parameters should ideally be identical or deviate from one another in any case by a predefined tolerance. However, these two configuration parameters should be created independently of each other. That is, each of the two configuration parameters is created without knowledge of the respective other of the configuration parameters. For example, the two configuration parameters may be created by means of different data sources. It is thereby achieved that the probability that the two configuration parameters do not correctly reflect the nominal configuration but nevertheless coincide is extremely small.
These two configuration parameters are then transmitted by the controller to the security device. In the security device, the two configuration parameters are compared with each other. If the two received configuration parameters are the same or at least sufficiently consistent within a specified tolerance, then this is considered that the two configuration parameters correctly reflect the nominal values. Subsequently, the respective desired configuration parameter is stored in the safety device, which corresponds to two identical configuration parameters or at least lies within a predefined tolerance around two configuration parameters. It is also possible to use one of the two configuration parameters as the setpoint configuration parameter if the two configuration parameters are sufficiently identical, at least within a predefined tolerance. It may be determined which of the two configuration parameters is accepted.
In this way, the two configuration parameters created independently of one another are first compared with one another within the security device itself, so that the risk is minimized that the configuration parameters are incorrectly modified during their data transmission to the security device and are then correspondingly incorrectly stored in the security device. If a modification of the configuration parameters takes place during this data transmission, this may result in the missing consistency being recognized in the security device when comparing the received configuration parameters and subsequently in the prevention of the logging of incorrect configuration parameters.
Only if the two configuration parameters created independently of one another are sufficiently identical after their transmission from the controller to the safety device does the corresponding setpoint configuration parameters be stored in the safety device, so that the safety device is subsequently configured in the correct manner. On the other hand, in this case only nominal configuration parameters or configuration signals are transmitted from the safety device to the controller to inform the controller that the safety device has been correctly configured.
The controller is configured such that it controls the function of the people conveyor based on whether it has previously received nominal configuration parameters or configuration signals. This means that the controller, after receiving the nominal configuration parameters or configuration signals, controls the people conveyor in a different way than before said receiving. The control device can, for example, control the people mover before the reception, so that the movable components of the people mover, for example the elevator car of the elevator installation, do not move at all or move only very slowly, i.e. only more slowly than in the normal operation of the people mover. Only after said receiving, the movable part is moved at the normal speed. Furthermore, it is conceivable to further control the people conveyor on the basis of the reception.
In order to further increase the reliability of the method in the case of the return of the setpoint configuration parameters to the control unit, the setpoint configuration parameters can be monitored at the same time or in a device associated with the control unit, for which purpose, for example, a technician can check the returned setpoint configuration parameters or the setpoint configuration parameters can be compared manually or automatically with the setpoint values.
The control unit is designed in particular such that it controls the functions of a people conveyor designed as an elevator installation in the following manner: so that the elevator car of the people mover moves in the elevator shaft only after it has received the nominal configuration parameters and/or the configuration signal. This ensures that the elevator car moves only after the safety gear has been fitted. This enables a particularly reliable operation of the elevator installation.
The controller can be embodied in particular to operate the function of the people conveyor to a limited extent in any case before the reception of the above-mentioned nominal configuration parameters or configuration signals and to operate the function of the people conveyor to the full extent after the above-mentioned reception. The limited range may be referred to as a commissioning or maintenance mode, for example, and the full range may be referred to as a normal mode.
According to one embodiment, the controller may receive the first configuration parameter or the second configuration parameter at the human-machine interface based on a manual input performed by a person.
In other words, one of the configuration parameters to be received by the controller may be obtained by entering the configuration parameter on a human-machine interface by a person, e.g. an authorized technician. Such a human machine interface may be an integral part of the controller. Alternatively, the human-machine interface may be provided as a separate device and coupled with the interface, for example temporarily or permanently.
The human-machine interface may have an input device through which a person may input data reflecting the configuration parameters. For this purpose, the human-machine interface can have, for example, a keyboard, a touch-sensitive screen or the like. Furthermore, the human-machine interface may have an output device in order to be able to output data in a manner perceptible to a person. For this purpose, for example, a screen, a loudspeaker or the like can be used.
Thus, within the scope of the configuration process, a person may communicate one of the independently created configuration parameters to the controller through the human machine interface.
Alternatively or additionally, according to an embodiment, the controller may receive the first configuration parameter or the second configuration parameter by invoking data from a remotely arranged database.
In other words, one of the parameters that is created independently may be obtained by calling the parameter from the database. The database can be stored remotely from the controller and in particular also from the entire people mover, for example on a server or in a data Cloud ("Cloud"). The controller or the device communicating therewith may be connected for data transmission with the database, for example by wired or wireless data transmission.
According to one specific embodiment, data can be called up in a database, which are created during the design process and/or the order of the people mover and which contain or can be derived from the first configuration parameters and/or the second configuration parameters.
In other words, one of the configuration parameters to be received by the controller may be created based on data previously created when the designer or custom personnel carrier devices. In such a design or customization, the safety device to be installed in the people conveyor is usually also selected and planned in terms of its configuration. Accordingly, detailed information about the nominal configuration of the individual safety devices of the people conveyor can be found in the data generated in this way. These data are typically stored in a database, for example at the manufacturer of the personnel carrier and/or the safety device, and can therefore be recalled from the controller as required.
According to one embodiment, the controller may receive the first configuration parameter and/or the second configuration parameter from a mobile, processor-controlled data processing device, which may be temporarily coupled to the controller for data exchange.
In other words, the controller may be at least temporarily coupled to a mobile processor-controlled data processing device and may receive parameters through the configuration. For example, the data processing device may be a smart phone (e.g., a smart phone), a portable computer (e.g., a laptop computer), or similar portable device equipped with a processor for data processing. For example, the data processing device may be carried by an authorized technician and/or coupled to the controller. For example, the data processing device may be a technician's smartphone on which a special application (App) is installed. Here, the data transmission between the data processing device and the controller may be performed by wire or wirelessly. The data processing device can also have a data memory in addition to its processor, in which data can be stored, and/or a data interface, by means of which data can be exchanged with other devices. Furthermore, the data processing device can have a human-machine interface, via which data can be input by a person and/or output in a manner perceptible to the person.
The data processing device may serve as a human-machine interface for the controller after it is coupled with the controller. For example, data reflecting one of the configuration parameters may be entered by a person at the data processing device, for example via his keyboard or his touch screen. These data may then be forwarded to the controller.
Alternatively or additionally, the data processing device may be used to invoke data reflecting one of the configuration parameters, for example from a remote database, and then forward the data to the controller.
According to a further embodiment, the controller can receive the first configuration parameter or the second configuration parameter from a data memory, which is coupled to the controller for data exchange.
In contrast to the previously described data processing device, the data memory does not require the data processing capacity itself here, i.e. it does not require its own processor. Instead, the data store may simply store the data and provide it to the controller for recall when needed. In contrast to data processing devices, data memories usually also do not have their own power supply. The data storage device may be volatile or non-volatile memory. For example, the data storage may be a flash memory, for example in the form of a SIM card or SD card.
The data stored on the data store may reflect configuration parameters. Here, the data may be created independently of data provided to the controller through other channels reflecting configuration parameters. For example, the data stored in the data storage may be determined and stored in advance by the manufacturer of the security device or the manufacturer of the controller.
After the safety device has compared the two configuration parameters transmitted by the controller and coming from different sources and stored the nominal configuration parameters if the two configuration parameters are sufficiently consistent, the safety device may transmit a configuration signal to the controller as confirmation of storing the nominal configuration parameters. Alternatively or additionally, the safety device may communicate the nominal configuration parameters themselves to the controller. The controller may evaluate to receive only the nominal configuration parameters as an indication that the safety device has been properly configured. Alternatively, the setpoint configuration parameters can be evaluated, for example, to detect whether they correspond to a predetermined setpoint value. This can be done, for example, within the controller itself.
Alternatively or additionally, the controller according to an embodiment may transmit the nominal configuration parameters to a mobile, processor-controlled data processing device.
The data processing device can be the same device as described above and is used to input one of the configuration parameters. Alternatively, other data processing devices can also be provided for this purpose, which can be designed in a structurally and/or functionally identical or similar manner to the data processing devices described above.
The data processing device can then be used, for example, as a human-machine interface in order to output the transmitted setpoint configuration parameters, for example, in a manner perceptible to a technician. Alternatively, the data processing device can use its data communication interface to transmit the received setpoint configuration parameters, for example, to an external device, for example, a monitoring device for monitoring the function of the elevator installation.
According to a specific embodiment, the data processing device may output the nominal configuration parameters to a person and send a sealing signal to the controller upon confirmation of correctness of the nominal configuration parameters by the person. The control unit can be designed to operate the function of the people conveyor within a limited range in any case before the receipt of the sealing signal and within the full range after the receipt of the sealing signal.
In other words, the data processing device may be used, for example, to enable an authorized technician to check the nominal configuration parameters transmitted by the security device to the controller and further to the data processing device for correctness. To this end, the technician can compare the information about the setpoint configuration parameters output to the data processing device with other information available to the technician, for example information about the setpoint values. It can be provided that the elevator installation can be operated in its full functional range only if such an inspection has been carried out by an authorized technician. In conventional elevator installations, provision can be made for the safety device to be sealed after it has been checked by a technician, i.e. for example a lead seal is provided for the safety device. In the solution presented here, the sealing can be carried out electronically, i.e. the control unit can be designed to allow the full functional range of the elevator installation only when the nominal configuration parameters stored by the safety device and subsequently transmitted are checked by a technician and the correctness thereof is verified.
For this purpose, the technician can make an input, for example, on the mobile data processing device for the purpose of confirming the correctness, and then transmit a sealing signal to the control of the elevator installation on the basis of this input. Only after receiving the sealing signal does the control switch from a restricted operating mode, in which safety-critical functions of the people conveyor are in any case permitted within a restricted range, to a normal operating mode, in which all safety-critical functions of the people conveyor are permitted and monitored by the controller.
According to a specific embodiment, the controller may transmit a sealing signal to the safety device, and the safety device then switches to a sealing state after receiving the sealing signal. The security device then transmits the receipt signal to the controller. The controller is provided for operating the function of the people conveyor within a limited range in any case before the receipt signal is received and within the full range after the receipt signal is received.
Once the security device is in the sealed state, the changed configuration parameters are stored in the security device only under increased security conditions, for example by entering a special authorization code. As a result, unauthorized changes of the configuration parameters can be prevented particularly effectively, which enables particularly safe operation of the people mover.
In the described electronic seal, techniques and/or method steps can be used as are also described in a similar manner in patent application EP19179416 filed by the applicant at an earlier time.
According to one embodiment, the first configuration parameter and/or the second configuration parameter are each transmitted by the controller to the security device together with a checksum characterizing the respective configuration parameter.
In other words, the respective configuration parameter is preferably not transmitted as unique data between the controller and the safety device, but the data reflecting the configuration parameter is supplemented by data reflecting a checksum characterizing the respective configuration parameter.
Such a checksum may be used within the scope of a cyclic redundancy check and is therefore sometimes also referred to as a CRC (cyclic redundancy check). A cyclic redundancy check is a method of determining a check value of data so that an error in transmitting or storing the data can be identified. In the method, ideally, the received data can even be corrected independently in order to avoid retransmissions. In this case, additional redundancy in the form of so-called CRC values is added to the data blocks of the user data, for example, before the data transmission or data storage. The CRC value acts as a checksum and is a check value calculated in a specific manner, by means of which errors that may occur during storage or transmission can be identified. Thus, by additionally characterizing the checksums of the individual configuration parameters, the risk of unrecognized errors occurring when transmitting the configuration parameters from the controller to the safety device can be minimized.
According to one embodiment, the method proposed here is designed such that the data set reflecting the first configuration parameters and/or the second configuration parameters is not modified by the controller before being transmitted to the secure device.
In other words, the controller of the people mover should not process or modify the configuration data received from the people mover in any way as far as possible, but forward the configuration data directly to the safety device without change. In this context, a data set reflecting configuration parameters is to be understood as a representation of the configuration parameters in information technology. If the configuration parameters are transmitted to the controller, for example in the form of a sequence of logic bits, the controller forwards this sequence of bits accurately to the secure device. It is possible here for the controller to transmit further information, for example the above-mentioned checksum, to the security device directly before or after the bit sequence.
Preferably, the controller should also not modify the data set in any way before it is output, for example on a human-machine interface, said data set reflecting the nominal configuration parameters transmitted back by the safety device.
In particular, it is therefore to be avoided that configuration parameters received by the controller are erroneously forwarded to the safety device, for example, as a result of systematic errors which may occur during the processing of data in the controller. In particular, it should be avoided that the at least one first configuration parameter and the at least one second configuration parameter are incorrectly processed in the same systematic manner and that, despite the recognition on the security device that the two configuration parameters are identical, the two configuration parameters are incorrect. In the worst case, the target configuration parameters returned by the safety device to the controller are then processed incorrectly by the controller in the opposite way, so that incorrect data changes occurring in the meantime are compensated for and the incorrect configuration parameters stored in the safety device do not themselves attract attention when monitored by an authorized technician.
In the people conveyor according to the second aspect of the invention, its controller and its at least one safety device are configured such that the people conveyor is able to perform the method described herein and thus ensure a correct configuration of the safety device.
The controller can be designed to exchange signals or data with different actuators and/or sensors in the people mover. In particular, the controller may control the operation of the drive machine of the people conveyor. The controller may also accept inputs from different human machine interfaces in order to control the operation of the people conveyor system on the basis thereof or to output information about the current state of the people conveyor system via the human machine interface. Such a human-machine interface may comprise, for example, buttons, keys, sensors, screens, loudspeakers and/or the like on the operating panel of the elevator installation. The controller can have, for example, individual modules which communicate with one another, wherein, for example, one module carries out safety-critical tasks, while another module handles the human-machine interface and controls the drive device.
The safety device may be designed to monitor safety-critical functions in the personnel handling equipment. To this end, the safety device may have one or more sensors in order to be able to detect physical quantities which are relevant for safety-critical functions. The safety device may also have one or more actuators with which such a physical quantity can be influenced.
The safety device can also be constructed in a modular manner, i.e. with a plurality of different modules having different functions. In particular, the plurality of modules are configurable and each monitor a safety-critical function of the people conveyor. The security device then transmits a configuration signal or a sealing signal to the controller after all configurable modules have been configured.
For example, the safety device may be designed to detect the current opening state of the elevator doors, to measure the current traveling speed of the elevator car, to determine the current position of the elevator car within the elevator shaft, to detect the load or acceleration currently acting on the elevator car, etc.
By storing the nominal configuration parameters, the safety device can be adapted to the characteristics of the people mover and/or to the conditions prevailing in the people mover.
The method described here can be carried out by a processor-controlled controller of the people conveyor in cooperation with a processor-controlled safety device. Here, both the controller and the security device may execute program code, which is part of a computer program product according to the third aspect of the invention. The computer program product may thus instruct the controller and the safety device to perform or control the sub-steps of the method described herein to be performed by the controller and the safety device, respectively. The computer program product can be written in any computer language.
Such a computer program product may be stored on a computer readable medium according to the fourth aspect of the invention. Such a medium may be any volatile or non-volatile data storage medium. For example, the computer readable medium may be a portable data storage device in the form of, for example, a flash memory, a DVD, a CD, or the like. The computer readable medium may also be part of another computer or server or part of a data Cloud (Cloud) from which the computer program product may be downloaded, e.g. over a network such as the internet.
It should be noted that some possible features and advantages of the invention are described herein with reference to different embodiments of a method for operating a people conveyor on the one hand and a correspondingly configured people conveyor on the other hand. Those skilled in the art realize that the described features can be combined, adapted or substituted in a suitable manner in order to realize further embodiments of the present invention.
Drawings
Embodiments of the invention are described below with reference to the drawings, wherein neither the drawings nor the description should be construed as limiting the invention.
Fig. 1 shows an elevator installation according to an embodiment of the invention.
Fig. 2 shows a diagram for illustrating data transmission and data processing within the scope of the method according to an embodiment of the invention.
The figures are purely diagrammatic and not drawn to scale. The same reference numbers in different drawings identify the same or equivalent features.
In the following, it is described that the nominal configuration parameters are determined solely from the first and second configuration parameters and are stored in the safety device. However, this should not be construed as limiting. It is likewise possible for a plurality of first configuration parameters and a plurality of second configuration parameters to be transmitted analogously to one or more safety devices and for a plurality of target configuration parameters to be derived therefrom, the target configuration parameters being stored in the one or more safety devices.
Detailed Description
Fig. 1 shows a very rough schematic representation of a people mover 1 in the form of an elevator installation. The elevator car 5 is arranged in the elevator shaft 3 and is held by a rope-like support means 9. The drive machine 7 can move the rope-like support means 9 and thereby displace the elevator car 5 vertically. The drive machine 7 is controlled by a controller 11. An elevator door 13 is provided at one floor. The current closed state of the elevator door 13 is monitored with a safety device 17 in the form of a door switch 15. A plurality of further safety devices 17 can also be provided in the people mover 1, for example in order to monitor the closed state or other functions of the further elevator doors 13.
The technician 23 can access the people mover 1 in order to configure the people mover 1 and in particular its security device 17 with his smartphone 19 as a mobile data processing device 21. This can be done, for example, directly after the production of the people mover 1 has been completed or else within the scope of the maintenance of the people mover 1.
A possible embodiment of such a procedure for configuring the safety device 17 is described with reference to fig. 2.
First, the controller 11 receives a first configuration parameter 41 and a second configuration parameter 43. In this case, the two configuration parameters 41, 43 are created in advance independently of one another, but both relate to the intended nominal configuration of the safety device 17 to be configured.
In the example shown, the first configuration parameters 41 are communicated to the controller 11 by the mobile, processor-controlled data processing device 21. The data processing device 21 may be a smartphone 19 of a technician 23, on which a suitable application (App) is running. The first configuration parameters 41 may be entered, for example, by the technician 23 via the human machine interface 27 of the smartphone 19. The human-machine interface 27 may be, for example, a touch-sensitive screen 25 or a keyboard. Alternatively, the first configuration parameters 41 may also be called from an external source, for example an external database 37 provided in the data cloud 35, by means of the data communication module 29 of the smartphone 19. In the database 37, for example, configuration data can be stored, which are created during the design process of the people mover 1 or at the time of the order. The first configuration parameters 41 can then likewise be transmitted to the controller 11 or its data communication module 31, for example, by means of the data communication module 29. For example, the data transmission can be done wirelessly.
Furthermore, in the example shown, the second communication parameters 43 are provided by a data memory 39, which data memory 39 is coupled to the controller 11 for data exchange. The data memory 39 can be, for example, a flash memory, on which configuration data for all safety devices 17 of the people conveyor 1 are stored.
The first configuration parameters 41 and the second configuration parameters 43 are then further transmitted by the controller 11 to the secure device 17 or its data communication module 33. The data record reflecting the first and second configuration parameters 41, 43, i.e. the information-technical representation thereof, is not modified by the controller 11, in particular. The two transmitted configuration parameters 41, 43 are then compared with one another in the security device 17. If the two configuration parameters 41, 43 are to be matched within a predefined tolerance, the setpoint configuration parameter 47 corresponding to the two configuration parameters 41, 43 is saved in the safety device 17. In addition, nominal configuration parameters 47 are also communicated back to controller 11. Alternatively or additionally, the configuration signal 49 may be transmitted to the controller 11.
As a result of receiving the setpoint configuration parameters 47 and/or the configuration signal 49, the controller 11 can recognize that the safety device 17 has been correctly configured and can correctly perceive the monitoring function of the people conveyor 1. The control 11 may adjust the control of the functions of the people mover 1 accordingly. For example, the control 11 can then only operate the drive machine 7 such that the elevator car 5 moves in the elevator shaft 3 or such that the elevator car moves at a speed for normal operation of the people conveyor 1.
After recognizing the correct configuration of the safety device 17, the controller 11 can be transferred from the previous restricted mode, in which the functions of the people conveyor 1 are restricted from being used, to a normal mode, in which the functions of the people conveyor 1 are fully available.
Furthermore, the controller 11 may further send the nominal configuration parameters 47 to the mobile data processing device 21. The data items that reflect the setpoint configuration parameters 47, i.e. their information-technical presentation, are not modified, in particular by the controller 11. On the data processing device 21, the technician 23 can analyze the returned setpoint configuration parameters 47, for example, by comparing the setpoint configuration parameters with data previously entered by the technician 23 or with data previously read out from the database 37. In the event that the technician 23 determines that the target configuration parameters 47 are correct, i.e., for example, sufficiently correspond to the target values, the technician can confirm the correctness of the target configuration parameters 47, for example, by entering them on the human-machine interface 27. The data processing device 21 may then transmit the sealing signal 51 back to the controller 11. As a result of this sealing signal 51 being obtained, the controller 11 can then be transferred from the previous restricted mode, in which the function of the people conveyor 1 is also restricted in use, to a normal mode, in which the function of the people conveyor 1 is fully available.
Instead of entering the normal mode immediately after receiving the sealing signal 51 from the data processing device 21, the controller 11 may transmit the sealing signal 51 to the safety device 17. The safety device 17 then becomes a sealed state after receiving the seal signal 51, and transmits a sign-in signal 52 to the controller 11. The controller 11 transitions to the normal mode after receiving the sign-on signal 52 of the safety device 17.
In order to ensure the integrity of the data reflecting the different configuration parameters 41, 43, 47, a checksum 45 characterizing the respective configuration parameter 41, 43, 47 or the data thereof can additionally be transmitted together with these data when transmitting between the different devices (i.e. between the data processing device 21 and the controller 11 on the one hand, or between the controller 11 and the secure device 17 on the other hand). Such a checksum 45 can be determined beforehand as a CRC value.
In the example shown in the foregoing, the first configuration parameters 41 are determined by the mobile data processing device 21 and transmitted to the controller 11, whereas the second configuration parameters 43 are read from the data memory 39 provided directly on the controller 11. However, it should also be possible for the first configuration parameters 41 and the second configuration parameters 43 to be determined by the data processing device 21. For example, the data processing device 21 can determine the input of the technician 23 on its screen 25 as a first configuration parameter 41 on the one hand and the data called up from the database 37 as a second configuration parameter 43 on the other hand, and then transmit both configuration parameters 41, 43 to the controller 11.
It is likewise also conceivable that the two configuration parameters 41, 43 can be determined directly by the controller 11, for example, by the controller retrieving data from the database 37 via the data communication module 31 integrated in the controller 11 and receiving said data as the first configuration parameters 41, on the one hand, and receiving data from the data memory 39 as the second configuration parameters 43, on the other hand.
In particular, the configuration of the safety device 17 can be carried out by means of the method proposed here, without the technician 23 having to manually enter configuration data into the human-machine interface. For example, the security device 17 may compare the first configuration parameters 41 automatically read from the database 37 with the second configuration parameters 43 automatically read from the data storage 39. In the event of a sufficient agreement between the two configuration parameters 41, 43, the respective setpoint configuration parameter 47 can be automatically stored in the safety device 17. Based solely on all these automatically executed method steps, the safety device 17 can then at least enter a partial operating mode in which the functionality of the people conveyor is available at least to a limited extent or is provided to a limited extent in the functionality of the entire people conveyor 1. In the partial operating mode, for example, the speed at which the elevator car 5 is permitted to move may be limited, or the travel of the elevator car 5 may take place only after an additional confirmation has been made beforehand. At a later point in time, the stored setpoint configuration parameters 47 can be checked, for example, by the technician 23, and, if appropriate, a sealing signal 51 is transmitted to the controller 11, which can then be switched into the full operating mode.
In summary, with the method presented here, a higher reliability in terms of the configuration of the people conveyor 1 and thus an increased safety of the people conveyor 1 can be achieved. In addition, the configuration process itself can be simplified.
Finally, it is pointed out that: terms such as "having," "including," and the like do not exclude any other elements or steps, and terms such as "a" or "an" do not exclude a plurality. Furthermore, it should be pointed out that characteristics or steps which have been described with reference to one of the above embodiments can also be used in combination with other characteristics or steps of other embodiments described above. Reference signs in the claims shall not be construed as limiting.

Claims (15)

1. A method for operating a people mover (1),
wherein the people conveyor (1) has a controller (11) for controlling the functions of the people conveyor (1) and a safety device (17) for monitoring safety-critical functions of the people conveyor (1);
the safety device (17) can be configured to monitor safety-critical functions according to certain specifications by storing nominal configuration parameters (47) in a configured state;
the method comprises the following steps:
receiving, by a controller (11), a first configuration parameter (41) and a second configuration parameter (43) created independently of the first configuration parameter (41), wherein the first configuration parameter (41) and the second configuration parameter (43) are associated with a same nominal configuration parameter (47);
transmitting the first configuration parameters (41) and the second configuration parameters (43) to the secure device (17);
comparing the first configuration parameter (41) with the second configuration parameter (43) in the safety device (17), and, if the first configuration parameter (41) and the second configuration parameter (43) match within a predefined tolerance, storing a target configuration parameter (47) corresponding to the first configuration parameter (41) and the second configuration parameter (43) in the safety device (17), and transmitting the target configuration parameter (47) and/or a configuration signal (49) from the safety device (17) to the controller (11);
wherein the controller (11) controls the function of the people mover (1) depending on whether a nominal configuration parameter (47) and/or a configuration signal (49) is received from the people mover.
2. Method according to claim 1, wherein the control (11) controls the functions of a people conveyor (1) configured as an elevator installation in the following manner: so that the elevator car (5) of the people mover (1) is displaced in the elevator shaft (3) only after receiving the target configuration parameters (47) and/or configuration signals (49) therefrom.
3. The method according to claim 1 or 2, wherein the controller (11) receives the first configuration parameter (41) or the second configuration parameter (43) based on a manual input to be performed by a person on a human-machine interface (27).
4. A method according to claim 1, 2 or 3, wherein the controller (11) receives the first configuration parameter (41) or the second configuration parameter (43) by invoking data from a remotely arranged database (37).
5. The method according to claim 4, wherein the following data can be called in the database (37): the data are created during the design process and/or the order of the people conveyor (1) and contain the first configuration parameters (41) and/or the second configuration parameters (43), or the first configuration parameters (41) and/or the second configuration parameters (43) can be derived from the data.
6. The method according to any one of the preceding claims, wherein the controller (11) receives the first configuration parameters (41) and/or the second configuration parameters (43) from a mobile, processor-controlled data processing device (21) which can be temporarily coupled with the controller (11) for data exchange.
7. The method according to any of the preceding claims, wherein the controller (11) receives the first configuration parameters (41) or the second configuration parameters (43) from a data storage (39) coupled to the controller (11) for data exchange.
8. The method according to any one of the preceding claims, wherein the controller (11) communicates nominal configuration parameters (47) to a mobile, processor-controlled data processing device (21).
9. The method according to claim 8, wherein the data processing device (21) outputs the nominal configuration parameters (47) to a person and transmits a sealing signal (51) to the controller (11) in the case of a confirmation of the correctness of the nominal configuration parameters (47) by the person,
wherein the controller (11) controls the function of the people conveyor (1) within a limited range before receiving the sealing signal (51) and controls the function of the people conveyor (1) within a full range after receiving the sealing signal (51).
10. The method according to claim 9, wherein the controller (11) transmits a sealing signal (51) to a safety device (17),
the security device (17) switches to the sealed state and transmits a receipt signal (52) to the controller (11) after receiving the sealing signal (51), and
the controller (11) controls the function of the people conveyor (1) always within a limited range before receiving the receipt signal (52) and controls the function of the people conveyor (1) within the full range after receiving the receipt signal (52).
11. The method according to any one of the preceding claims, wherein the first configuration parameter (41) and/or the second configuration parameter (43) are transmitted by the controller (11) to the secure device (17) together with a checksum (45) characterizing the respective configuration parameter, respectively.
12. The method according to any of the preceding claims, wherein the data sets (41, 43) reflecting the first configuration parameters (41) and/or the second configuration parameters (43) are not modified by the controller (11) before being transmitted to the secure device (17).
13. People conveyor (1) having:
a controller (11) for controlling the functions of the people conveyor (1), and
a safety device (17) for monitoring safety-critical functions of the people conveyor (1);
wherein the safety device (17) is configurable to monitor safety-critical functions according to certain specifications by storing nominal configuration parameters (47) into a configured state;
the controller (11) and the safety device (17) are configured to perform or control a method according to any one of claims 1 to 12.
14. A computer program product which, when executed in a processor-controlled controller (11) for controlling functions of a people mover (1) and in a processor-controlled safety device (17) for monitoring safety-critical functions of a people mover (1), directs the people mover to perform or control a method according to any one of claims 1 to 12.
15. A computer readable medium having the computer program product of claim 14 stored thereon.
CN202180033650.4A 2020-05-08 2021-04-16 Method for operating a people conveyor by reliably configuring an electronic safety device Pending CN115515878A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP20173657 2020-05-08
EP20173657.6 2020-05-08
PCT/EP2021/059928 WO2021223982A1 (en) 2020-05-08 2021-04-16 Method for operating a passenger conveyor system by reliably configuring an electronic safety device

Publications (1)

Publication Number Publication Date
CN115515878A true CN115515878A (en) 2022-12-23

Family

ID=70680243

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202180033650.4A Pending CN115515878A (en) 2020-05-08 2021-04-16 Method for operating a people conveyor by reliably configuring an electronic safety device

Country Status (4)

Country Link
US (1) US20230219785A1 (en)
EP (1) EP4146576A1 (en)
CN (1) CN115515878A (en)
WO (1) WO2021223982A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3782943B1 (en) * 2019-08-20 2023-02-22 KONE Corporation Method of commissioning a conveyor system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103373646A (en) * 2012-04-26 2013-10-30 郑坤丰 Elevator safety fault instant detection system and method thereof
EP2998259A1 (en) * 2014-09-18 2016-03-23 Kone Corporation An elevator system and a method for controlling elevator safety
EP3257798A1 (en) * 2016-06-17 2017-12-20 Inventio AG Person transport assembly with a first and at least a second evaluation module
CN108025887A (en) * 2015-09-11 2018-05-11 因温特奥股份公司 Apparatus and method for the service mode for monitoring lift facility
CN110831878A (en) * 2017-07-14 2020-02-21 因温特奥股份公司 Method for configuring safety-critical configuration parameters in a people conveyor

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103373646A (en) * 2012-04-26 2013-10-30 郑坤丰 Elevator safety fault instant detection system and method thereof
EP2998259A1 (en) * 2014-09-18 2016-03-23 Kone Corporation An elevator system and a method for controlling elevator safety
CN108025887A (en) * 2015-09-11 2018-05-11 因温特奥股份公司 Apparatus and method for the service mode for monitoring lift facility
EP3257798A1 (en) * 2016-06-17 2017-12-20 Inventio AG Person transport assembly with a first and at least a second evaluation module
CN110831878A (en) * 2017-07-14 2020-02-21 因温特奥股份公司 Method for configuring safety-critical configuration parameters in a people conveyor

Also Published As

Publication number Publication date
EP4146576A1 (en) 2023-03-15
WO2021223982A1 (en) 2021-11-11
US20230219785A1 (en) 2023-07-13

Similar Documents

Publication Publication Date Title
US9580276B2 (en) Elevator system with messaging for automated maintenance
EP3295263B1 (en) Method to update safety related software
US7699143B2 (en) Method of setting the floor associations of a plurality of operating units of an elevator installation
CN204065793U (en) For controlling the system of field apparatus
US10216152B2 (en) Method and apparatus for parameterizing a safety device
CN108473273B (en) Elevator data communication arrangement
US20190116105A1 (en) Sensor and method for the serial transmission of data of the sensor
CN101876816B (en) Method and operating device for operating a security-oriented industrial automation component
US11365088B2 (en) Monitoring device for a passenger transport system, testing method and passenger transport system
CN115515878A (en) Method for operating a people conveyor by reliably configuring an electronic safety device
CN109071164A (en) The transport equipment for persons of field device including central control unit and multiple fault recognition methods with optimization
EP2341406B1 (en) Method for safely parameterizing an electrical device
CN108367888B (en) Personnel transportation equipment, maintenance method and maintenance controller
JP2018529868A (en) Dangerous equipment control method and computer program therefor
US20230242374A1 (en) Method for operating a passenger transport system by reliably configuring an electronic safety device by means of visual data transmission
US10082780B2 (en) Method for parameterization of a field device and corresponding field device
US10520910B2 (en) I/O expansion for safety controller
US20160124397A1 (en) Handheld unit with combined signal evaluation
US11618648B2 (en) Safety monitoring device for monitoring safety-related states in a passenger conveyor system and method for operating same
JP2009274845A (en) Maintenance center device and elevator control device for remotely monitoring a plurality of kinds of elevators
US20220327867A1 (en) System and method for remotely updating data for computer devices included in an aircraft
US20230183049A1 (en) System and method for access control for a robotic vehicle
US11926059B2 (en) Method and system for automatically securing the operation of a robot system controlled by a mobile operating device
KR102617461B1 (en) Electronic apparatus and unmanned mobile apparatus
US20240059525A1 (en) Elevator control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination